Are Your Vendors and Contractors CJIS Compliant? You’re Responsible.

A few issues back we discussed the FBI CJIS Security Addendum. We went through what the Security Addendum was, when it was needed and all the particulars involved in its use.

Today we will be discussing vendor/contractor (we’ll refer to them all as “vendors”) compliance with the CJIS Security Policy as a result of having an executed Security Addendum with your agency. Most importantly, we will highlight your responsibility, as the hiring authority, to ensure your vendors are compliant.

How do YOU know that YOUR vendor is abiding by the terms of the Security Addendum and is complying with the CJIS Security Policy?

In all likelihood, without auditing them yourself, you simply don’t!

You don’t know if they are compliant. You don’t know if they are secure in their practices. You don’t know how they conduct their employee background checks. You don’t know if they are doing what is required to protect access to critical criminal justice information (CJI) and related systems.

What normally happens is that an agency hires a vendor, obtains a signed Security Addendum and generally hopes for or assumes compliance. And you know what happens when assumptions are made.

This can be an issue, especially since your agency, the hiring authority, is responsible for their access to criminal justice information and related systems.

This is extremely important because these are the systems that process and store the critical information your agency relies on each and every day. Having your vendor be compliant with the applicable provisions of the CJIS Security Policy is critically important to your agency and necessary to help support your agency’s mission.

ANY vendor that provides products and/or services to a criminal justice agency (like your agency) where they have or may have access to criminal justice information and systems is required to comply with applicable sections of the CJIS Security Policy.

So, now that we’ve established that you and your agency are responsible for your vendors’ compliance, what can you do about it?

Does your agency have the resources (money, staff or time) and expertise to perform comprehensive audits on each of your vendors? Is your agency going to go through the 200+ pages of the policy and 400+ requirements to determine which your vendor’s compliance?

No? You’re not alone — CJIS ACE can help!

How?

CJIS ACE for Providers.

When your vendor subscribes to the CJIS ACE for Providers service, the CJIS ACE team works with them to help ensure initial and continued compliance with the CJIS Security Policy.

After a comprehensive assessment, the CJIS ACE team will provide the vendor with a Compliance Profile, which is a report-card type rating that shows their compliance state with respect to the CJIS Security Policy (and other applicable policies). From there, the provider can work with the CJIS ACE team toward initial or continuing compliance as an assurance to their customers.

This service allows the vendor’s clients (your agency) the freedom to focus on critical day-to-day tasks knowing that they (the vendor) take the security of your criminal justice information and systems seriously and value you as a client.

We created a quick video for you to share with your vendors highlighting the CJIS ACE for Providers service.

Like your agency, providers of criminal justice services and/or products are required to comply with applicable sections of the CJIS Security Policy.

Compliance with the minimum requirements set forth in the policy is essential to providing appropriate controls to protect the confidentiality, integrity and availability of critical criminal justice information.

Additionally, compliance contributes to maintaining the operational integrity and security of interconnected criminal justice information systems that allow all criminal justice and law enforcement agencies to carry out their respective missions.

Were you forwarded this newsletter and find the content useful? Then please take a few seconds and subscribe to our newsletter.

CJIS ACE is a division at DCI that helps law enforcement agencies comply with the FBI CJIS Security Policy and NCIC requirements. CJIS ACE services are designed to help you be pro-active in strengthening your agency’s information security profile and comply with any other security policies that may be required (e.g. a State or County IT Security Policy). CJIS ACE brings real-world experience at the ready to assist your agency’s personnel in navigating the daunting and complicated path through audits and information security policy compliance.